You can create a list of trusted certificates for Horizon FLEX virtual machines and import the list to the Horizon FLEX Policy Server. When you use a trusted certificates list, you do not need to install certificates on end-user hosts.

Using a list of trusted certificates can prevent malicious users from creating their own self-signed certificates for the same hostname and adding those certificates to their host's list of trusted certificates.

When you configure the Horizon FLEX Policy Server to use a trusted certificates list, the client host ignores the host's list of certificates and uses the trusted certificates list to verify server connections instead. If the client host cannot verify a certificate by using the trusted certificates list, the server connection fails.

If the trusted certificates list is empty in the source virtual machine, Workstation Player and Fusion Pro authenticate against the host's list of trusted certificates.

To create the trusted certificates list, you export each certificate to a separate file and then concatenate all of the files into a single file. You use the Horizon FLEX Admin Console to import the concatenated certificates file to the Horizon FLEX Policy Server.

You must export certificates in Privacy Enhanced Mail (PEM) format. On Windows systems, the PEM certificate encoding is called Base-64 encoded X.509 (.CER). Only PEM-encoded certificates are supported. No other certificate format (DER, Serialized Certificate Store/SST, PKCS #12/PFX, PKCS #7/P7B) is accepted.

The PEM format is a standard certificate format that is Base64 encoded.

You can create PEM-format certificates by downloading the certificate from the CA's Web site or by exporting the certificates from a host system.

After you export your PEM-format certificates, you must construct the trusted certificate list and import the certificates list file to the Horizon FLEX Policy Server.